Jamf Protect - Alerts
| Id | 6098daa0-f05e-44d5-b5a0-913e63ba3179 |
| Rulename | Jamf Protect - Alerts |
| Description | Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel |
| Severity | High |
| Required data connectors | JamfProtect |
| Kind | NRT |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml |
| Version | 1.0.6 |
| Arm template | 6098daa0-f05e-44d5-b5a0-913e63ba3179.json |
jamfprotectalerts_CL
| extend
algorithm = "SHA256",
Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DvcHostname
- identifier: OSFamily
columnName: DvcOs
- identifier: OSVersion
columnName: DvcOsVersion
- entityType: IP
fieldMappings:
- identifier: Address
columnName: Host_IPs
- entityType: Process
fieldMappings:
- identifier: CommandLine
columnName: TargetProcessCurrentDirectory
- identifier: ProcessId
columnName: TargetProcessId
- entityType: FileHash
fieldMappings:
- identifier: Algorithm
columnName: algorithm
- identifier: Value
columnName: TargetBinarySHA256
requiredDataConnectors:
- connectorId: JamfProtect
dataTypes:
- jamfprotectalerts_CL
suppressionEnabled: false
eventGroupingSettings:
aggregationKind: AlertPerResult
customDetails:
TargetBinarySignMsg: TargetBinarySigningInfoMessage
Protect_Tags: Tags
Related_Binaries: TargetBinaryFilePath
Protect_Analytic: EventMessage
TargetbinarySign: TargetbinarySignerType
JamfPro_Status: JamfPro
TargetBinarySigner: TargetBinarySigningTeamID
Related_File_hash: TargetBinarySHA256
Protect_Event_Type: EventType
relevantTechniques:
name: Jamf Protect - Alerts
tactics:
query: |
jamfprotectalerts_CL
| extend
algorithm = "SHA256",
Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
description: |
'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'
alertDetailsOverride:
alertDynamicProperties:
- value: EventVendor
alertProperty: ProviderName
- value: EventProduct
alertProperty: ProductName
- value: Techniques
alertProperty: Techniques
alertSeverityColumnName: EventSeverity
alertDescriptionFormat: '{{EventResultMessage}} - Please investigate'
alertDisplayNameFormat: '{{EventMessage}} detected on {{DvcHostname}}'
alertTacticsColumnName: Tactics
incidentConfiguration:
createIncident: true
groupingConfiguration:
reopenClosedIncident: false
enabled: false
lookbackDuration: PT5H
matchingMethod: AllEntities
severity: High
status: Available
kind: NRT
id: 6098daa0-f05e-44d5-b5a0-913e63ba3179
version: 1.0.6
suppressionDuration: PT5H
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6098daa0-f05e-44d5-b5a0-913e63ba3179')]",
"kind": "NRT",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6098daa0-f05e-44d5-b5a0-913e63ba3179')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{EventResultMessage}} - Please investigate",
"alertDisplayNameFormat": "{{EventMessage}} detected on {{DvcHostname}}",
"alertDynamicProperties": [
{
"alertProperty": "ProviderName",
"value": "EventVendor"
},
{
"alertProperty": "ProductName",
"value": "EventProduct"
},
{
"alertProperty": "Techniques",
"value": "Techniques"
}
],
"alertSeverityColumnName": "EventSeverity",
"alertTacticsColumnName": "Tactics"
},
"alertRuleTemplateName": "6098daa0-f05e-44d5-b5a0-913e63ba3179",
"customDetails": {
"JamfPro_Status": "JamfPro",
"Protect_Analytic": "EventMessage",
"Protect_Event_Type": "EventType",
"Protect_Tags": "Tags",
"Related_Binaries": "TargetBinaryFilePath",
"Related_File_hash": "TargetBinarySHA256",
"TargetbinarySign": "TargetbinarySignerType",
"TargetBinarySigner": "TargetBinarySigningTeamID",
"TargetBinarySignMsg": "TargetBinarySigningInfoMessage"
},
"description": "'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'\n",
"displayName": "Jamf Protect - Alerts",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DvcHostname",
"identifier": "HostName"
},
{
"columnName": "DvcOs",
"identifier": "OSFamily"
},
{
"columnName": "DvcOsVersion",
"identifier": "OSVersion"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "Host_IPs",
"identifier": "Address"
}
]
},
{
"entityType": "Process",
"fieldMappings": [
{
"columnName": "TargetProcessCurrentDirectory",
"identifier": "CommandLine"
},
{
"columnName": "TargetProcessId",
"identifier": "ProcessId"
}
]
},
{
"entityType": "FileHash",
"fieldMappings": [
{
"columnName": "algorithm",
"identifier": "Algorithm"
},
{
"columnName": "TargetBinarySHA256",
"identifier": "Value"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml",
"query": "jamfprotectalerts_CL\n| extend\n algorithm = \"SHA256\",\n Host_IPs = tostring(parse_json(DvcIpAddr)[0]),\n Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),\n Tactics = case(input.match.tags has \"Execution\", \"Execution\", input.match.tags has \"Visibility\", \"Visibility\", input.match.tags has \"Persistence\", \"Persistence\", input.match.tags has \"LateralMovement\", \"LateralMovement\", input.match.tags has \"CredentialAccess\", \"CredentialAcccess\", input.match.tags has \"DefenseEvasion\", \"DefenseEvasion\", input.match.tags has \"PrivilegeEscalation\", \"PrivilegeEscalation\", input.match.tags has \"Impact\", \"Impact\", input.match.tags has \"CommandAndControl\", \"CommandandControl\", input.match.tags has \"Discovery\", \"Discovery\", input.match.tags has \"InitialAccess\", \"InitialAccess\", \"\"),\n Techniques = pack_array(extract(@\"[A-Za-z]\\d{4}\", 0, tostring(input.match.tags))),\n JamfPro = case(input.match.actions has \"SmartGroup\", \"Workflow with Jamf Pro\", input.match.actions has \"Prevented\", \"No workflow, Prevented by Protect\", \"No workflow\")\n",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": null,
"techniques": null,
"templateVersion": "1.0.6"
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}